CVE-2022-25355
Description
EC-CUBE 3 and 4 improperly handle HTTP Host headers, allowing a remote unauthenticated attacker to forge password-reissue email URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EC-CUBE 3 and 4 improperly handle HTTP Host headers, allowing a remote unauthenticated attacker to forge password-reissue email URLs.
Vulnerability
EC-CUBE versions 3.0.0 to 3.0.18-p3 (3 series) and 4.0.0 to 4.1.1 (4 series) improperly handle HTTP Host header values [1][2]. This vulnerability (CWE-913) resides in the password reissue functionality, where the application uses the Host header from incoming HTTP requests to construct URLs in password-reissue emails without proper validation [1][2]. No special configuration or user interaction is required for the vulnerable code path to be reachable.
Exploitation
A remote unauthenticated attacker can send a crafted HTTP request to a vulnerable EC-CUBE installation with a malicious Host header value (e.g., an attacker-controlled domain) [2]. Because the application does not validate the Host header, it generates a password-reissue email containing a URL that points to the forged domain [1][2]. The attacker then tricks an EC-CUBE user into clicking the link in that email, which may lead to password reissue on an attacker-controlled site, potentially allowing account takeover. The CVSS vector (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates high attack complexity and required user interaction [2].
Impact
On successful exploitation, an attacker can direct EC-CUBE to send an email containing a forged password-reissue URL to users [1][2]. If a user follows the link and completes the reissue process on the attacker-controlled site, the attacker can compromise the user's account [1][2]. The impact is limited to integrity (forged URL), with no direct confidentiality or availability impact according to the CVSS score [2].
Mitigation
For EC-CUBE 4 series, the fix is to configure TRUSTED_HOSTS — either by setting it in the application configuration or by upgrading to EC-CUBE 4.1.2 (released 2022-02-22), which provides an administrative UI to configure TRUSTED_HOSTS under Admin Console > Settings > System Settings > Security [1][2]. For EC-CUBE 3 series, the developer has provided a patch to apply the same host validation logic [1][2]. There are no known workarounds other than applying the patch or configuration change. No evidence of active exploitation in the wild has been reported as of the disclosure date [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ec-cube/ec-cubePackagist | >= 3.0.0, <= 3.0.18-p3 | — |
ec-cube/ec-cubePackagist | >= 4.0.0, < 4.1.2 | 4.1.2 |
Affected products
2- Range: EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the HTTP Host header allows an attacker to inject an arbitrary hostname into URLs generated by the application."
Attack vector
A remote unauthenticated attacker sends a crafted HTTP request to the EC-CUBE application with a forged `Host` header value pointing to an attacker-controlled domain. Because the application does not validate the Host header (missing authorization check [CWE-862]), EC-CUBE uses the untrusted value to generate URLs — specifically password-reissue URLs — in outgoing emails. The attacker can thus cause the application to send password-reset links that direct users to the attacker's server, enabling account takeover if a user follows the link [ref_id=1].
Affected code
For EC-CUBE 3.x, the vulnerable code is in `/html/index.php` and `/html/index_dev.php` — these entry points lack a call to `\Symfony\Component\HttpFoundation\Request::setTrustedHosts()` to validate the HTTP Host header [ref_id=1]. For EC-CUBE 4.x, the advisory states that the `TRUSTED_HOSTS` environment variable (or `.env` setting) is not configured by default, leaving the application without Host header validation [ref_id=1].
What the fix does
For EC-CUBE 3.x, the patch adds a call to `\Symfony\Component\HttpFoundation\Request::setTrustedHosts(array('^www\.example\.com$'));` in both `/html/index.php` and `/html/index_dev.php` [ref_id=1]. This restricts the application to only accept requests whose Host header matches the configured regex pattern, preventing forged Host values from being used in URL generation. For EC-CUBE 4.x, the fix requires administrators to set the `TRUSTED_HOSTS` environment variable (or `.env` entry) with a regex matching their legitimate hostname(s); starting from version 4.1.2 this is set automatically during installation [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the EC-CUBE application.
- authNo authentication is required; the vulnerability is exploitable by an unauthenticated remote attacker.
- configThe application must be configured to send password-reissue emails (default behavior).
- inputThe attacker must control a server that can receive the redirected user and serve a fake password-reset page.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pw97-6v74-9w3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25355ghsaADVISORY
- jvn.jp/en/jp/JVN53871926/index.htmlghsax_refsource_MISCWEB
- www.ec-cube.net/info/weakness/20220221ghsaWEB
- www.ec-cube.net/info/weakness/20220221/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.